This is more an answer than a question, but it may help someone, took us a long time to figure out.
We have been battling an issue with XP SP2 laptops going on and off the domain for quite a while, and now figured out how to fix this.
First the issue: Environment: Window 2003 SP2 domain with XP SP2 computers.
[list] Symptom: XP computers (dual homed laptops) that sometimes connect to the local (Internal) network and other times to another network (typically a wireless network) have problems connecting to certain websites.
[/list][list] They can not connect because their names do not resolve. When you do an ipconfig /all , the right DNS servers show up, but when you try a nslookup , you see that another DNS server is being used for the actual DNS lookup. You can see what DNS server is being used every time you run nslookup, that information shows in the first two result lines.
[/list][list] This is important to remember: <strong>ipconfig /all does not (always) show you what is really being used</strong>. It only shows what the network interfaces are set at.
[/list][list] So what is defining what DNS server is to be used. I realised that this setting may be stored somewhere in the registry. So I ran regedit and searched the IP address of the DNS server in use according to nslookup. The search found a key called [code]HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTDNSclient[/code]. And there they were, the IP addresses of DNS servers that were really in use, not the ones ipconfig shows.
[/list][list] How did that registry entry get in there: At some point that machine belonged to a OU (Organisational Unit) in the AD (Active Directory) GPO Global Policy Object) setting for that DNS. When a GPO defines a setting, that setting results in a value being written to the machines registry. When the machine was later moved to an OU without DNS server set (DNS server setting not defined), that registry entry was not removed when the policy was updated with gpupdate /force and reboot. Worse: Moving the machine to an OU with another DNS server setting did not work either, and that makes no sense at all.
[/list][list] We did replicate that same issue on more than one system.
[/list][list] Lessons learned:
[/list][list] GPO's create registry settings, so when a GPO does strange things, you may want to run regedit and see if you find relevant keys.
[/list][list] When you change a GPO setting from 'defined' to 'not defined' the policy change may actually not have a desired effect because the setting on the machine (or user?) level is not removed. This is a but in my opinion.
[/list][list] Running the gpresults or the GPO modeling tool in the GPO editor does not always give you the right answer. It certainly did not in our case since it said the DNS servers were different than what the machine was actually using.
[/list][list] Don't trust Microsoft software, surprize ... Because changing the DNS in the GPO from nothing to something worked. But then subsequently changing it to a third value had no effect. Another bug.
[/list]

This sounds like registry tatooing, something that should no longer be occurring when you take the computer out of what Microsoft calls the scope of management.

While I agree with how incredibly complex Microsoft makes this stuff (especially documentation!), I’m not so sure it’s a good idea to distribute DNS server information via Group Policy because of situations like this.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your response...

Discuss This Question: 4 &nbspReplies

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

WOW!! Nice job of detective work & sleuthing. Yes, I believe that MS hides many things due to the OS being perceived as easy to use by home users and non-trained administrators. MS became the juggernaut it is due to this perceived ease of use.... not by it's technical or manageability strengths. Granted they have improved this and created a more reliable and manageable system. However, things like GPO hidden activities still make one suspect of anything that is done via a GUI interface. Config files & command line options are still a key knowledge and skill that administrators need to have. I think this is why MS is also moving to Powershell to improve the strength of the command line. On the other hand, this makes things more complex and difficult for the less skilled admins. Change is complex and IT becomes more complex as time passes.

More rant material:
Microsoft has also been typically very poor in documentation and search. How many times have you gone to the MS Knowledgebase with a specific event ID or error code, entered it an NO RESULTS FOUND???
This is so frustrating when all you are looking for is documentation on their product. Makes you wonder if the error codes are done by random number generators ;)

This sounds like registry tatooing, something that should no longer be occurring when you take the computer out of what Microsoft calls the scope of management.
While I agree with how incredibly complex Microsoft makes this stuff (especially documentation!), I'm not so sure it's a good idea to distribute DNS server information via Group Policy because of situations like this.
Good piece of following the solution to the bitter end! ;-)

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

Ask a Question

Free Guide: Managing storage for virtual environments

Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!

Share this item with your network:

To follow this tag...

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy